Security News > 2022 > May > Microsoft Mitigates RCE Vulnerability Affecting Azure Synapse and Data Factory

Microsoft Mitigates RCE Vulnerability Affecting Azure Synapse and Data Factory
2022-05-10 02:48

Microsoft on Monday disclosed that it mitigated a security flaw affecting Azure Synapse and Azure Data Factory that, if successfully exploited, could result in remote code execution.

"The vulnerability was specific to the third-party Open Database Connectivity driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime and did not impact Azure Synapse as a whole," the company said.

In other words, a malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant's Integration Runtimes to gain access to sensitive information, effectively breaking tenant separation protections.

That said, the Redmond-based company has shared Microsoft Defender for Endpoint and Microsoft Defender Antivirus detections to protect customers from potential exploitation, adding it's working to bolster the security of third-party data connectors by working with driver vendors.

The findings come a little over two months after Microsoft remediated an "AutoWarp" flaw impacting its Azure Automation service that could have permitted unauthorized access to other Azure customer accounts and take over control.

Last month, Microsoft also resolved a pair of issues - dubbed "ExtraReplica" - with the Azure Database for PostgreSQL Flexible Server that could result in unapproved cross-account database access in a region.


News URL

https://thehackernews.com/2022/05/microsoft-mitigates-rce-vulnerability.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2819 161 4399